Fata Morgana (chimerically) wrote,
Fata Morgana

electronic voting at Grace Hopper

Thursday afternoon at Grace Hopper, Barbara Simons and Ellen Theisen talked about the loaded issue of electronic voting. VotersUnite.org is dedicated to establishing and maintaining transparent elections, as is VerifiedVoting.org and others. As in my previous post, I'll report what they said (or at least the parts that I wrote down) with minimal interpretation, though I do have strong opinions on this matter as well.

They started off discussing overseas ballots. It turns out that Missouri, along with North Dakota and Utah, are allowing their troops overseas to vote. This sounds reasonable enough until you hear the details. First of all, there is no secret ballot at the voting site. In addition, completed ballots are scanned in and emailed to the DoD, which faxes them to election officials. This is wrong on so many levels. There could be coercion at the voting site, and forgery or "loss" would be so easy with so many steps in the process. And there are no laws against this sort of thing. Organizations including the ACM have made statements calling for permanent records for ballots, but so far none have been codified in laws.

There are several machine types for electronic voting.
  • One of the more primitive types are optical scanners, such as the bubble-scans many of us are familiar with from standardized testing. The machines can tell you if you've overvoted or if the ballot is empty, but these machines are prone to errors, and it's hard to support other languages or the blind.
  • Screen-based systems can have earphones and multi-lingual support, and can also give warnings for such things and under- and over-voting.
  • Ballot-marking systems combine these two: they have the benefits of screen-based systems, and mark or print an optical scan form. Often, though, the scan form is coded and thus can't really be checked by the voter, as is the case with the Populix machine.
  • Direct recording electronic devices, or DRE's, are becoming the most common system. Their main feature - some claim it's a benefit, though many (including the speakers and me) say it's actually a major drawback - is that these systems have no paper record that the voter verifies. So there's nothing to recount, no audit trail. These machines will be used in the 2004 election by 30% of the country, including California. The software is completely closed source. The machines made by Demonte and Acupoll also can produce paper ballots, but those made by Diebold, ESS, and Sequoia (and others) produce no paper ballots. (Sequoia is adding printers to their machines, but the printers will print on a roll of paper, raising privacy concerns. Diebold, the company that's especially been in the press, actually has both paperless and optical-scan machines, but the paperless ones are being used the most.


Some places like New Hampshire require random recounts, but some places like Florida have never done it. Because Florida never does recounts, they didn't know how to do them and kept avoiding them. California requires a recount of 1%. Since California uses the paperless Diebold machines, a random 1% of the ballots are printed at the end of the day and counted - so much for paperless elections!

In the 2002 election in Georgia, only Diebold machines were used. There were some anomalies in election. Perhaps they were legitimate, perhaps not, but with the Diebold machines, there's no way to check - no paper trail, and no access to the software. Alarmingly, Walter O'Dell, the Diebold CEO, did fundraising for Bush, though Diebold has recently issued a commitment to staying out of politics.

Recently, Diebold voting software was found by some academics on an open FTP site, who then took it for examination. They found that the encryption key was the same for all Diebold machines. Two places to get more information on this are the Hopkins report and the SAIC study of Diebold, the latter of which was produced as Maryland considered adopting Diebold machines statewide.

The Diebold voting terminals run Windows CE, and their software is written in C++. Sixteen Windows patches are needed on Diebold machines, but they make the system crash - so the system must be insecure to function. There's no requirement to audit external software, even if Diebold modified it (which they did for winCE).

Election Certification Stupidity

The software development process is completely incompatible with the election certification process. To get certified, companies have to send their code to an independent testing facility which takes TWO YEARS to verify code - and they just go down a checklist of expected problems, not any unexpected ones. Voting software manufacturers have to PAY for the results of the test. So what happens when they find a bug? Their options are to 1) hide it, 2) report it and go through re-certification which takes years and hundreds of thousands of dollars, or 3) install the changed software on machines without getting it certified. This last option seems most reasonable, and indeed, modified software has been found on machines in Indiana, California, Arizona, and Washington. When caught, the software manufacturers showed how the old certified software actually mis-tabulated votes, something that was not caught in the certification process. Additionally, the contracts between voting software manufacturers and these testing agencies are secret.

The people who know the input - the voters - don't know what the output of these machines are, and vice versa. This means there's no way to monitor the results of the election. Theisen likened this to "beta-testing" a parachute by jumping out of a plane with it and hoping it opens - except that with voting software, you STILL don't know whether the parachute opened when it's all over.

Answers to misc. questions

There's a common misconception in the general public that computers are accurate. Computers are fast and consistent, but they're only as accurate as they're coded to be. Pollworkers are blamed when machines malfunction, and often they're older volunteers who have little computer knowledge. Many election officials just want to get elections over with as quickly as possible, and are resistant to change. When electronic voting machines come into the picture, there's often a lot of dependence between officials and vendors - in some cases, the vendors are called in to run the election.

A major security risk is insider fraud. There has always been fraud and disenfranchisement, especially in the South, but before computerized voting, it was hands-on and involved a lot of people. Now, it's easy for one person to do it - they just need to change the code. There's no central repository for bugs in voting systems. There's an urban legend, perhaps true and perhaps not, of two Berkeley students who volunteered their apartment as a poll place. A week before the election, the machines arrived at their apartment. Sure, they were all wrapped up, but that's not much of a safeguard against tampering.

Usability in ballot design is a whole separate issue that really needs to be addressed.

Absentee ballots aren't without problems, but at least there's SOME record of your vote.

What can we do? Well, aside from voting, you can volunteer as an election official or write letters to the editor of your local newspaper calling for better procedures.

Articles to read
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded